My client was the one who reformatted the drive twice.  I've taken care to avoid changing anything on the drive.

Instead of charging my clients money, I'm asking for a reference and recommendation for a "real" forensics job.

On Wed, 02 Feb 2011 18:52:30 -0600
Jeremy MountainJohnson <jeremy.mountainjohnson at gmail.com> wrote:

> Getting original filenames in that instance might prove difficult with 
> all that reformatting. Photorec should also come packaged with another 
> application called testdisk, which can help recover deleted and damaged 
> partitions. Testdisk is great for rebuilding partitions which may help 
> allow you to further recover files with their original file names- both 
> of which you can do with testdisk. Or, if you're feeling real 
> adventurous, the command line tool hexedit or the gui tool wxheditor are 
> great for handling drives- both have search capabilities which would 
> allow for rebuilding via hex.
> 
> The thing with photorec and other tools like it (ie. scalpel) is that it 
> is only signature based, so it has no way of obtaining original file 
> names because it only cares about file type headers and their endings 
> (or likely endings). The advantage to this is that you're more likely to 
> get the most amount of files recovered (a smaller puzzle with fewer 
> pieces).
> 
> I'd also like to remind you of the licensing agreement with the software 
> you are using. It might be worth taking a peak at as I recall I don't 
> believe it can be used for profit (your use of the word "client" leads 
> me to believe a profit is involved) without consent of the author.  Just 
> a heads up, I appreciate this guys work and I'd hate to see it misused.
> 
> *Jeremy MountainJohnson*
> jeremy.mountainjohnson at gmail.com <mailto:jeremy.mountainjohnson at gmail.com>
> 
> 
> On 02/01/2011 09:32 AM, Jason Hsu wrote:
> > I've been providing free computer recovery services in exchange for a testimonial and recommendation.
> >
> > I have a client with a 500 GB hard drive that originally had an NTFS partition for about the first 370 GB and a Linux partition for the rest. He tried to install Ubuntu on the Linux partition. But for some reason, the installer reformatted the entire drive as ext4. He then reformatted the first 370 GB or so as NTFS to get the original formatting back so he could recover the Windows files from the original partition. However, the original Windows files did not appear, and Iolo Search and Recover couldn't find the files either.
> >
> > What do you suggest for recovering the files? PhotoRec will take 100 hours and does NOT recover filenames or the directory structure. I'll end up with numerous files with random names, and many of these files will be system files rather than personal files. What alternatives to PhotoRec do you suggest? I need something that's both faster AND that saves filenames and the directory structure.
> >
> > This is so much more difficult than recovering files from a bad Windows installation, which merely requires booting up a Linux live CD and copying the files to an external drive.
> >
> > This is so much more difficult than recovering files from a bad hard drive.  I've found that if PhotoRec can read the hard drive (which it always has as long as the drive spins), Puppy Linux can do so as well.  Thus, Puppy Linux is my favorite tool for copying files from a bad hard drive to a good drive.  It takes a long time, but it works well and even preserves filenames and directories.
> >
> _______________________________________________
> TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
> tclug-list at mn-linux.org
> http://mailman.mn-linux.org/mailman/listinfo/tclug-list


-- 
Jason Hsu <jhsu802701 at jasonhsu.com>